On-boarding

Prerequisites

Resource Provider

Go to: https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade
Select target subscription > Resource providers
Search “Microsoft.SecurityInsights” > Register

Microsoft Sentinel - enable Microsoft.SecurityInsights resource provider

Log Analytics Workspace

Add Sentinel to Workspace Using Azure Portal

After adding Sentinel to Log Analytics Workspace, we should plan from which resources/services data will be ingested into sentinel.

Azure Activity

To push activity logs to sentinel, Assign policy: Configure Azure Activity logs to stream to specified Log Analytics workspace
Activity logs will be streamed to sentinel Log Analytics workspace by policy assignment

Azure AD (for simplicity, only 2 types of logs are being considered)

Sign-in Logs
Audit Logs
Requirements:
- Azure AD P1 or P2 license
- User who is configuring Sentinel: ‘Global Administrator’ or ‘Security Administrator’ on the workspace’s tenant

Azure Firewall

Application Gateway WAF

The above is just example, you can choose many data sources if required.

Connect data sources to start ingesting data into Microsoft Sentinel
- Sentinel comes with many connectors for Microsoft products
- Also out-of-the-box connectors to the broader security ecosystem for non-Microsoft products
Sentinel data connectors page shows the full list of connectors that Microsoft Sentinel provides, and their status in your workspace
- Need to fulfill all the prerequisites
- Connector page has complete instructions to ingest the data to Microsoft Sentinel